################ Req Section ################
# This is used by the `openssl req` command
# to create a certificate request

[ req ]

# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.

prompt             = no
string_mask        = default
distinguished_name = req_dn

# The size of the keys in bits:
default_bits       = 4096

# The extensions added when generating a CSR
#req_extensions     = req_ext

[ req_dn ]

countryName = RU
stateOrProvinceName = MO
localityName = Moscow
organizationName = 63l06ri5
organizationalUnitName = HQ
commonName = 63l06ri5's company 

[ req_ext ]

# Extensions added to the request

################ CA Section ################
# This is used with the 'openssl ca' command
# to sign a request

[ ca ]

default_ca = CA

[ CA ]

# Where OpenSSL stores information

dir             = .                             # Where everything is kept
certs           = $dir                          # Where the issued certs are kept
crldir          = $dir                          # Where the issued crl are kept

new_certs_dir   = $certs
database        = $dir/index
certificate     = $certs/rootcrt.pem
private_key     = $dir/rootprivkey.pem
crl             = $crldir/crl.pem   
serial          = $dir/serial.txt
RANDFILE        = $dir/.rand

# How OpenSSL will display certificate after signing
name_opt    = ca_default
cert_opt    = ca_default

# How long the CA certificate is valid for
default_days = 3650
# default_startdate  = 180517000000Z
# default_enddate    = 181231235959Z

# The message digest for self-signing the certificate
# sha1 or sha256 for best compatability, although most
# OpenSSL digest algorithm can be used.
# md4,md5,mdc2,rmd160,sha1,sha256
default_md = sha256

# Subjects don't have to be unique in this CA's database
unique_subject    = no
# What to do with CSR extensions
copy_extensions    = copy

# Rules on mandatory or optional DN components
policy      = simple_policy

# Extensions added while singing with the `openssl ca` command
x509_extensions = x509_ext

[ simple_policy ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
domainComponent         = optional
emailAddress            = optional
name                    = optional
surname                 = optional
givenName               = optional
dnQualifier             = optional

[ x509_ext ]

# These extensions are for a CA certificate

subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

basicConstraints            = critical, CA:TRUE
# basicConstraints          = critical, CA:TRUE, pathlen:1

keyUsage = critical, keyCertSign, cRLSign